Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
1
Replies

ASA and C3560 routing problem

Go to solution
sysadmin
Level 1
Level 1

‎11-03-2013 03:05 AM - edited ‎03-11-2019 07:59 PM

Hi

I'm new to firewalls, so apologies if i'm wrong anhywhere.

Here is my setup.

I have a cisco C3560 switch with multiple VLans

It is connected to ASA 5505 which is further connected to Internet.

C3560 <--> G0/46 <--> 10.40.250.2 <--> 10.40.250.1 <--> E0/1 <--> ASA 5505

My problem is I'm not able to ping internet hosts from switch. Reverse route is fine. I'm able to ping switch and hosts on other Vlans.

And from switch I'm able to ping 10.40.250.1 (ASA interface). But from switch or my desktop i'm not able to go to internet.

Following are my configurations. Kindly help.

ASA Configuration

<code>

:

ASA Version 8.2(2)

!

hostname sg-fw2

names

!

interface Ethernet0/0

nameif OUTSIDE

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif INSIDE

security-level 100

ip address 10.40.250.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object-group network INTERNAL_RANGE

pager lines 24

logging enable

logging asdm informational

logging mail critical

mtu OUTSIDE 1500

mtu INSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

router eigrp 321

no auto-summary

default-metric 100000 1 255 1 1500

network 0.0.0.0 0.0.0.0

redistribute static

!

route INSIDE 10.40.0.0 255.255.0.0 10.40.250.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.40.0.0 255.255.0.0 INSIDE

snmp-server host INSIDE 10.40.12.210 poll community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 10.40.0.0 255.255.0.0 INSIDE

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect http

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3b4c6840cb9a7b2b490bcc2574f65371

: end

</code>

C3560 Swittch Configuration

<code>

Building configuration...

Current configuration : 10370 bytes

!

! Last configuration change at 19:05:13 WST Sat Nov 2 2013 by sysadmin

!

version 15.0

no service pad

no service timestamps debug uptime

service timestamps log datetime

service password-encryption

service sequence-numbers

!

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

!

aaa session-id common

clock timezone WST 8 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00

system mtu routing 1500

ip routing

!

!

!

ip dhcp snooping vlan 522

ip dhcp snooping

!

!

!

!

!

!

!

!

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig (STP)

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause sfp-config-mismatch

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause vmps

errdisable recovery cause storm-control

errdisable recovery cause arp-inspection

errdisable recovery cause loopback

!

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan 1-999 priority 24576

!

vlan internal allocation policy ascending

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

!

interface Port-channel1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/1

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/2

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/3

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/4

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/5

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/6

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/7

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/8

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/9

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/10

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/11

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/12

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/13

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/14

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/15

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/16

switchport access vlan 522

switchport mode access

!

interface GigabitEthernet0/17

switchport access vlan 523

!

interface GigabitEthernet0/18

description trunk to bm-sg-sw3 in other server room

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/19

description link to 3com switch for 10.40.12.x network

switchport access vlan 512

ip dhcp snooping trust

!

interface GigabitEthernet0/20

description link to drac card on xen server

switchport access vlan 523

switchport mode access

mls qos trust cos

!

interface GigabitEthernet0/21

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/22

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/23

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/24

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/25

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/26

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/27

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/28

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/29

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/30

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/31

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/32

switchport access vlan 512

switchport mode access

ip dhcp snooping trust

!

interface GigabitEthernet0/33

description servers in engineering room

switchport access vlan 523

mls qos trust cos

!

interface GigabitEthernet0/34

description link to rack for engineering network

switchport access vlan 523

mls qos trust cos

!

interface GigabitEthernet0/35

description C1841-F0/1

switchport access vlan 600

switchport mode access

spanning-tree portfast

!

interface GigabitEthernet0/36

description ASA5510-F0/1

switchport access vlan 600

switchport mode access

mls qos trust cos

spanning-tree portfast

!

interface GigabitEthernet0/37

description C2811-F0/0

switchport access vlan 600

switchport mode access

mls qos trust cos

spanning-tree portfast

!

interface GigabitEthernet0/38

description vmserver1

switchport access vlan 512

ip dhcp snooping trust

!

interface GigabitEthernet0/39

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/40

description build server nas

switchport access vlan 512

switchport mode access

!

interface GigabitEthernet0/41

description server farm b

switchport access vlan 522

!

interface GigabitEthernet0/42

switchport access vlan 523

switchport mode access

mls qos trust cos

!

interface GigabitEthernet0/43

description hub for engineering server farm

switchport access vlan 522

!

interface GigabitEthernet0/44

description connection for voip 2851

no switchport

ip address 10.40.40.1 255.255.255.0

!

interface GigabitEthernet0/45

no switchport

no ip address

!

interface GigabitEthernet0/46

description connection to ASA inside

no switchport

ip address 10.40.250.2 255.255.255.0

duplex full

!

interface GigabitEthernet0/47

description span port

!

interface GigabitEthernet0/48

!

interface GigabitEthernet0/49

description trunk to 3560-POE switch 2

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode desirable

!

interface GigabitEthernet0/50

!

interface GigabitEthernet0/51

!

interface GigabitEthernet0/52

!

interface Vlan1

ip address 10.10.100.1 255.255.255.0

!

interface Vlan10

ip address 10.40.10.3 255.255.255.0

!

interface Vlan300

ip address 10.40.255.1 255.255.255.248

!

interface Vlan512

description corp_serv

ip address 10.40.12.1 255.255.255.0

!

interface Vlan520

description corp_con

ip address 10.40.200.1 255.255.254.0

!

interface Vlan522

description workstations

ip address 10.40.224.1 255.255.254.0 secondary

ip address 10.40.220.1 255.255.254.0

ip helper-address 10.40.12.253

ip helper-address 10.40.12.252

!

interface Vlan523

description office_lab

ip address 10.40.230.1 255.255.254.0

ip access-group vlan523_access_in in

no ip unreachables

!

!

router eigrp 321

network 3.0.0.0

network 10.0.0.0

eigrp stub connected summary

!

ip http server

ip http authentication local

ip http secure-server

!

!

ip route 0.0.0.0 0.0.0.0 10.40.250.1

ip route 10.1.0.0 255.255.0.0 10.40.10.254

ip route 10.1.1.0 255.255.255.0 10.40.250.1

ip route 10.40.240.0 255.255.254.0 10.40.40.2

ip route 202.56.195.121 255.255.255.255 10.40.10.254

ip route 202.152.162.174 255.255.255.255 10.40.10.254

ip route 202.152.162.177 255.255.255.255 10.40.10.254

ip route 203.145.131.152 255.255.255.255 10.40.10.254

ip route 203.196.249.7 255.255.255.255 10.40.10.254

!

ip access-list extended search_for_192.168

permit ip any host 216.246.60.14 log-input

ip access-list extended vlan523_access_in

remark permit any tcp connection into this vlan to return

permit tcp any any established

remark allow DNS query

permit udp any host 10.40.12.253 eq domain

remark http access to fumes

permit tcp any host 10.26.156.51 eq www

permit tcp any host 10.26.156.51 eq 443

remark http access to 3.0 build machine

permit tcp any host 10.26.156.30 eq www

permit tcp any host 10.26.156.30 eq 443

remark allow communication between 10.40.231.205 and cisco cme

permit ip host 10.40.231.205 host 10.40.240.1

permit ip host 10.40.231.205 host 10.40.40.2

remark Allow IANA ephemeral port

permit udp any any range 49152 65535

permit udp any any range 25000 35000

permit udp any any range 40001 45000

remark permit connection to SingNet Proxy

permit tcp any host 220.255.4.9 eq 8080

remark http and NFS access to filesvr

permit tcp any host 10.40.12.248 eq www

permit tcp any host 10.40.12.248 eq 443

permit tcp any host 10.40.12.248 eq sunrpc

permit udp any host 10.40.12.248 eq sunrpc

permit tcp any host 10.40.12.248 eq 2049

permit udp any host 10.40.12.248 eq 2049

permit tcp any host 10.40.12.248 range 4000 4002

permit udp any host 10.40.12.248 range 4000 4002

remark permit sip traffic

permit tcp any any range 5060 5063

permit udp any any range 5060 5063

permit udp any any range 5000 5003

permit udp any any range 5010 5013

permit udp any any range 16384 32767

remark permit access to ldap server

permit tcp any host 10.40.12.247 eq 389

deny   icmp any any redirect

deny   icmp any any mask-request

permit icmp any any

permit ip 0.0.0.0 255.255.254.0 0.0.0.0 255.255.254.0

permit tcp 0.0.0.0 255.255.254.0 0.0.0.0 255.255.254.0

permit ip any any

permit tcp any any

!

logging trap warnings

logging facility syslog

logging source-interface Loopback0

logging host 10.40.12.210

!

!

!

!

!

line con 0

logging synchronous

line vty 0 4

privilege level 15

password 7 120F0B0F1F08545D79

transport preferred none

transport input telnet

transport output none

line vty 5 15

privilege level 15

password 7 120F0B0F1F08545D79

transport preferred none

transport input telnet

transport output none

!

!

monitor session 1 source vlan 1 - 4094

monitor session 1 destination interface Gi0/47

ntp server 10.40.12.253 prefer

end

</code>

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-03-2013 05:16 AM

Hi,

The ASA is lacking NAT configurations.

You can do the basic Dynamic PAT translation with either of the below ways

global (OUTSIDE) 1 interface

nat (INSIDE) 1 0.0.0.0 0.0.0.0

global (OUTSIDE) 1 interface

nat (INSIDE) 1 10.0.0.0 255.0.0.0

Hope this helps

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-03-2013 05:16 AM

Hi,

The ASA is lacking NAT configurations.

You can do the basic Dynamic PAT translation with either of the below ways

global (OUTSIDE) 1 interface

nat (INSIDE) 1 0.0.0.0 0.0.0.0

global (OUTSIDE) 1 interface

nat (INSIDE) 1 10.0.0.0 255.0.0.0

Hope this helps

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card